Risk Configuration
Ketryx allows full customization of risk matrices, risk field values, and risk evaluation logic to align with your organization's risk management methodology.
This page acts as a reference for all the various configurations possible beyond the default risk setup described in MAN-08 Risk Management.
How to configure
Risk configuration can be set at two levels:
Organization level - Affects all projects in the organization (requires organization owner permissions) Project level - Scopes configuration to a specific project and overrides organization settings (requires project management permissions)
Navigate to Advanced Settings and configure the individual risk configuration fields. Each field accepts valid JSON structures. If a field is not configured, system defaults are used.
Configuring probability and severity values
Before defining risk matrices, you must first configure the available values for probability, severity, and risk evaluation fields. These values serve as the building blocks that will be referenced in your matrix configurations.
Important: All values used in your risk matrices must be defined in these configuration fields first or you will encounter unexpected behavior when working on your Risks.
Warning: If these fields are mapped to Jira custom fields via Field names configuration, changes will affect the global Jira field configuration.
Structure
Each value can include optional color coding for visual distinction:
[
{
"name": "Low",
"hexColor": "39A31A",
"fontHexColor": "EBFFE4"
},
{
"name": "Medium",
"hexColor": "D08300",
"fontHexColor": "FFF7E4"
},
{
"name": "High",
"hexColor": "B50531",
"fontHexColor": "FFEDF3"
}
]Probability values
Configure the following fields to define your probability scales:
Initial Occurrence Probability - P1 values (typically, the likelihood of the hazardous situation occurring)
Initial Harm Probability - P2 values (typically, the likelihood of harm given the hazardous situation)
Initial Total Probability - P0 values (combined probability result)
Residual Occurrence Probability - Post-mitigation P1 values
Residual Harm Probability - Post-mitigation P2 values
Residual Total Probability - Post-mitigation P0 values
Example for a 5-level probability scale:
[
{
"name": "Rare",
"hexColor": "0B5394",
"fontHexColor": "FFFFFF"
},
{
"name": "Unlikely",
"hexColor": "39A31A",
"fontHexColor": "FFFFFF"
},
{
"name": "Possible",
"hexColor": "F1C232",
"fontHexColor": "000000"
},
{
"name": "Probable",
"hexColor": "D08300",
"fontHexColor": "FFFFFF"
},
{
"name": "Frequent",
"hexColor": "B50531",
"fontHexColor": "FFFFFF"
}
]Severity values
Configure severity scales for both initial and residual risk assessment:
Initial Severity - Pre-mitigation severity scale
Residual Severity - Post-mitigation severity scale
Example for a 5-level severity scale:
[
{
"name": "Negligible",
"hexColor": "0B5394",
"fontHexColor": "FFFFFF"
},
{
"name": "Minor",
"hexColor": "39A31A",
"fontHexColor": "FFFFFF"
},
{
"name": "Serious",
"hexColor": "D08300",
"fontHexColor": "FFFFFF"
},
{
"name": "Critical",
"hexColor": "CC0000",
"fontHexColor": "FFFFFF"
},
{
"name": "Catastrophic",
"hexColor": "660000",
"fontHexColor": "FFFFFF"
}
]Risk evaluation values
Risk evaluation values include an acceptability indicator that determines whether risks require mitigation:
Initial Risk Acceptability Evaluation - Pre-mitigation risk levels
Residual Risk Acceptability Evaluation - Post-mitigation risk levels
Example for a 5-level evaluation scale:
[
{
"name": "Negligible",
"hexColor": "0B5394",
"fontHexColor": "FFFFFF",
"acceptable": "ACCEPTABLE"
},
{
"name": "Low",
"hexColor": "39A31A",
"fontHexColor": "FFFFFF",
"acceptable": "ACCEPTABLE"
},
{
"name": "Medium",
"hexColor": "F1C232",
"fontHexColor": "000000",
"acceptable": "NOT_ACCEPTABLE"
},
{
"name": "High",
"hexColor": "D08300",
"fontHexColor": "FFFFFF",
"acceptable": "NOT_ACCEPTABLE"
},
{
"name": "Unacceptable",
"hexColor": "B50531",
"fontHexColor": "FFFFFF",
"acceptable": "NOT_ACCEPTABLE"
}
]Configuring risk matrices
Once probability and severity values are defined, configure the four evaluation matrices that determine risk calculations. These matrices map the relationships between your configured values.
Important: All possible combinations must be defined. Missing combinations will cause unexpected behavior.
Available matrices
Initial Total Probability matrix - Maps P1 (occurrence) × P2 (harm) = P0 (total probability)
Initial Risk Evaluation matrix - Maps P0 × Severity = Risk Evaluation
Residual Total Probability matrix - Post-mitigation probability calculation
Residual Risk Evaluation matrix - Post-mitigation risk evaluation
Matrix structure
Matrices follow this JSON structure, where row and column values must exactly match the values defined in your probability and severity configurations (above):
{
"[Row Value]": {
"[Column Value]": "[Result Value]"
}
}Example: Initial Total Probability Matrix
This maps occurrence probability (rows) and harm probability (columns) to total probability values:
{
"Low": {
"Low": "Rare",
"Medium": "Rare",
"High": "Rare"
},
"Medium": {
"Low": "Rare",
"Medium": "Probable",
"High": "Probable"
},
"High": {
"Low": "Rare",
"Medium": "Probable",
"High": "Certain"
}
}Example: Initial Risk Evaluation Matrix
This maps total probability (rows) and severity (columns) to risk evaluation values:
{
"Rare": {
"Low": "Negligible",
"Medium": "Low",
"High": "Medium"
},
"Probable": {
"Low": "Low",
"Medium": "Medium",
"High": "High"
},
"Certain": {
"Low": "Medium",
"Medium": "High",
"High": "Unacceptable"
}
}Configuring other risk field options
Customize dropdown options for various risk fields to match your risk management vocabulary.
Warning: If these fields are mapped to Jira custom fields via Field names configuration, changes will affect the global Jira field configuration.
Hazards
Define the types of potential sources of harm:
[
"Contamination",
"Electrical shock",
"Mechanical failure",
"Software malfunction",
"User error",
"Environmental exposure"
]Hazardous situations
Define circumstances where patients are exposed to hazards:
[
"Patient contact during procedure",
"Operator maintenance activities",
"Emergency shutdown scenario",
"Power failure during operation"
]Harms with default severity
Harms can optionally include an associated initial severity that auto-populates when selected:
[
{
"name": "Death",
"defaultInitialSeverity": "Catastrophic"
},
{
"name": "Permanent impairment",
"defaultInitialSeverity": "Critical"
},
{
"name": "Temporary injury requiring intervention",
"defaultInitialSeverity": "Serious"
},
{
"name": "Minor discomfort"
}
]When strict mode is enabled with "Require harm and initial severity selection", users must select from these predefined harms and cannot override the associated severity.
Event sequences and steps
Define templates for sequence of events that lead from hazard to harm:
[
{
"name": "Medication Dosage Error",
"steps": [
{
"name": "Prescription Entry"
},
{
"name": "Dosage Calculation"
},
{
"name": "Dispensing"
},
{
"name": "Administration"
}
]
},
{
"name": "Device Malfunction",
"steps": [
{
"name": "Component Failure"
},
{
"name": "Alarm Failure"
},
{
"name": "Operator Unaware"
},
{
"name": "Continued Use"
}
]
}
]Additional field configurations
Hazard Types - Categories of hazards (Electrical, Mechanical, Software, etc.)
System Categories - System components involved (Hardware, Software, Environment)
Risk Assessment Methodologies - Methods used (FMEA, FTA, HAZOP)
Warning: If these fields are mapped to Jira custom fields via Field names configuration, changes will affect the global Jira field configuration.
Hazard type-specific configuration
Override matrices for specific hazard types to provide more granular risk evaluation:
{
"Electrical": {
"initialTotalProbabilityMatrix": {
"Low": {
"Low": "Rare",
"Medium": "Probable",
"High": "Certain"
},
"Medium": {
"Low": "Probable",
"Medium": "Certain",
"High": "Certain"
}
},
"initialRiskEvaluationMatrix": {
"Rare": {
"Low": "Low",
"Medium": "High",
"High": "Unacceptable"
},
"Certain": {
"Low": "Medium",
"Medium": "Unacceptable",
"High": "Unacceptable"
}
}
},
"Software": {
"initialTotalProbabilityMatrix": {...},
"residualRiskEvaluationMatrix": {...}
}
}When a user selects a hazard type with an associated configuration, those matrices override the default matrices for that specific risk.
Custom risk type configuration
For organizations managing multiple risk types (e.g., patient risks vs. cybersecurity risks), configure type-specific settings:
{
"Cybersecurity Risk": {
"initialTotalProbabilityMatrix": {...},
"initialRiskEvaluationMatrix": {...},
"residualTotalProbabilityMatrix": {...},
"residualRiskEvaluationMatrix": {...},
"initialOccurrenceProbability": [
{"name": "Unlikely", "hexColor": "39A31A"},
{"name": "Possible", "hexColor": "D08300"},
{"name": "Likely", "hexColor": "B50531"}
],
"initialSeverity": [
{"name": "Low Impact", "hexColor": "39A31A"},
{"name": "Medium Impact", "hexColor": "D08300"},
{"name": "High Impact", "hexColor": "B50531"}
],
"hazards": ["Data breach", "System compromise", "Denial of service"],
"harms": [
{"name": "Privacy violation", "defaultInitialSeverity": "High Impact"},
{"name": "Financial loss", "defaultInitialSeverity": "Medium Impact"},
{"name": "Reputation damage"}
],
"dataByHazardType": {
"Network": {
"initialRiskEvaluationMatrix": {...}
}
}
},
"Environmental Risk": {
"initialOccurrenceProbability": [
{"name": "Annual", "hexColor": "39A31A"},
{"name": "Monthly", "hexColor": "D08300"},
{"name": "Daily", "hexColor": "B50531"}
]
}
}Strict mode interactions
When the following settings are enabled on the Project Settings page:
With "Require harm and initial severity selection"
Only harms defined in configuration can be selected
Initial severity is automatically set based on harm's
defaultInitialSeverityUsers cannot override the associated severity
With "Require derived risk analysis fields"
Risk acceptability is enforced from matrices, without the ability to change it manually
With "Require hazard/hazardous situation selection"
Free text entry is disabled
Only pre-configured values can be selected
Configuration hierarchy
Ketryx applies configurations in order of specificity:
Project level + Custom risk type + Hazard type specific
Project level + Custom risk type
Project level + Hazard type specific
Project level general
Organization level (same hierarchy as above)
System defaults
The most specific applicable configuration always takes precedence.
Best Practices
Define all probability and severity values before creating matrices
Ensure all matrix combinations are defined
Test configuration changes in a sandbox project first
Last updated
Was this helpful?